And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure). Yes, Wietse Boonstra … has previously identified a number of the zero-day vulnerabilities which are currently being used in the ransomware attacks. O RLY? DIVD’s Victor Gevers opens the kimono-“ Case Update”: This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware.” The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. The company has also posted an initial analysis of the attack that states it has found “no evidence that Kaseya’s VSA codebase has been maliciously modified. And of course, patches for enterprise software are not simple affairs - there’s every chance users will have plenty of work to do once the fix is applied. Kaseya has advised its users to pull the plug on their on-prem VSA servers, so news that a fix is imminent will be welcome - but news that it will arrive later than the SaaS fix will not. offered its users a ray of hope with news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday. It’s been unable to find signs its code was maliciously modified. While Sunburst was apparently a state-funded attack, ransomware operators clearly have the resources to continue to acquire additional exploits.īut should we really be calling this a “supply chain” attack? Simon Sharwood says not-“ Kaseya says it’s seen no sign of supply chain attack”: While zero-day supply-chain exploits are rare, we’ve already seen two major systems management platforms exploited in the past year. And there was no sign of deletion of volume shadow copies-a behavior common among ransomware that triggers many malware defenses. Attacks were customized to some degree based on the size of the organization, meaning that REvil actors had access to VSA server instances and were able to identify individual customers of MSPs as being different from larger organizations. First, because of its mass deployment, this REvil attack makes no apparent effort to exfiltrate data. There are some factors that stand out in this attack when compared to others. AGENT.CRT is encoded to prevent malware defenses from performing static file analysis with pattern scanning and machine learning when it is dropped. The Kaseya Agent Monitor … AGENTMON.EXE … in turn wrote out the Base64-encoded malicious payload AGENT.CRT to the VSA agent “working” directory for updates (by default, C:\KWORKING\). How did it work? Mark Loman, Sean Gallagher and Anand Ajjan call it a “ supply chain exploit”: … “It makes you wonder if they’re having a hard time getting people to pay,” he said.Īnother expert … Allan Liska … said that the hackers, by encrypting so much data from so many businesses at once, may have bitten off more than they could chew: “For all of their big talk on their blog, I think this got way out of hand.” … The REvil ransomware gang, also known as Sodinokibi, is publicly demanding $70 million to restore the data it’s holding ransom after their data-scrambling software affected hundreds of small and medium businesses.īut in a conversation with Jack Cable of the cybersecurity-focused Krebs Stamos Group, one of the gang’s affiliates said he could sell a “universal decryptor” … for $50 million. The hackers who have claimed responsibility for an international ransomware outbreak have lowered their asking price. What’s the craic? Raphael Satter and Praveen Menon report-“ Hackers behind ransomware outbreak lower demand to $50 mln”: Your humble blogwatcher curated these bloggy bits for your entertainment. In today’s SB Blogwatch, we have little sympathy.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |